You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is the guzzlehttp/psr7 fix: guzzle/psr7#485 (relevant lines) it has disallowed new lines in header values. Please note the regex was updated in guzzle/psr7#492 but that wasn't relevant to the reported issue.
If anyone wants/needs to update their guzzlehttp/psr7 to fix the reported vulnerability, here's how you can do it immediately without waiting for a new Azure SDK release (which experience from previous releases tells me will not happen any time soon)
{
"patches": {
"microsoft/azure-storage-table": {
"No EOLs in Content-Type headers": "patches/azure-328-no-eol-in-headers.diff"
}
}
}
And finally, install and use cweagans/composer-patches composer plugin to patch the file locally. Run composer update microsoft/azure-storage-table after installing the plugin.
Once, and if, the maintainers will release the new version, you can simply remove the plugin and the composer.patches.json file (and PATCHES.txt from vendor/microsoft/azure-storage-table dir).
Which service(blob, file, queue, table) does this issue concern?
Table
Which version of the SDK was used?
1.1.5
What's the PHP/OS version?
PHP 8+/Ubuntu
What problem was encountered?
After upgrading guzzlehttp/psr7 to 2.1.1+, batch requests fail
Steps to reproduce the issue?
InvalidArgumentException
is thrown withThis is because guzzlehttp/psr7 has fixed a security vulnerability (CVE-2022-24775) and the fix broke
MimeReaderWriter::encodeMimeMultipart()
:azure-storage-php/azure-storage-table/src/Table/Internal/MimeReaderWriter.php
Line 76 in 0539ffb
encodeMimeMultipart()
is used in\MicrosoftAzure\Storage\Table\TableRestProxy::createBatchRequestBody
which in turn is used in\MicrosoftAzure\Storage\Table\TableRestProxy::batchAsync
.This is the guzzlehttp/psr7 fix: guzzle/psr7#485 (relevant lines) it has disallowed new lines in header values. Please note the regex was updated in guzzle/psr7#492 but that wasn't relevant to the reported issue.
Have you found a mitigation/solution?
Yes #328 but you know me already 😅
The text was updated successfully, but these errors were encountered: